We note that you have added an extension to enable users to ensure we are GDPR compliant

What i am wondering is do you have anything about your OWN data compliance, i.e. a data processing agreement and information about how you use or store the data, where is this processed? In the EEA? Or outside of the EEA?

Anything else you think that is pertinent that will help us satisfy the requirements we have to meet as users that we use GDPR compliant tools/resources/suppliers.

2 Answers
2

CiviCRM is not a company that processes data or store data so I am not sure what you are talking about? I am not sure what you mean by 'your OWN data' in t that respect? I am a CiviCRM community member not an employee of CiviCRM.

CiviCRM itself is NOT a 'cloud' application. The communiy provides source code in a software package. You can install that on any server of your choice and THAT is where your data resides. CiviCRM itself does not process any data from customers.

The global CiviCRM community does have its own website where data of participants at CiviCons and CiviCamps, and active community members is stored. That is community based and maintained, there is not one organization specifically responsible for that data. I assume the data of that community site resides in the USA (and GDPR does not apply).

CiviCRM is not a supplier in the sense that it is an organisation that delivers you services at an agreed price. You as an organization download the codebase of CiviCRM.

If you want to know the license agreement that you agree to when you download CiviCRM you can find it here: https://civicrm.org/license.

If this does not answer your questions then please explain what you are looking for in more detail?

I think Erik is likely right in terms of answering what Lisa is asking. But there is a possible side to the question that may be valid, and that is if Lisa's organsiation has signed up as a member on civicrm.org - probably a question for Josh - will ping him on chat.
– petednz - fuzion♦May 2 '18 at 19:42

That might indeed be the case @petednz, but then AFAIK the data resides in the US and as CiviCRM is US-based GDPR (which is a European "law") does not apply.
– ErikH - CiviCooPMay 3 '18 at 6:55

GDPR does apply in the US, because it applies to user data stored in Europe AND to data from EU citizens. Any US company that processes personal data from EU citizens is affected.
– DjizeusMay 3 '18 at 10:09

Yep my understanding too is that GDPR relates to the 'contact' being a EU resident, not whether the organisation/company that is storing the data is based in EU
– petednz - fuzion♦May 3 '18 at 19:31

Thanks, I did not know that. How does that apply to a community rather than a company then?
– ErikH - CiviCooPMay 4 '18 at 12:57

I think its important to provide some general information about your setup before we can fully understand what you need to take into account. As Erik has highlighted, you may be using CiviCRM with your own or website hosting or you may have subscribed to an online service which provides you with a running copy of CiviCRM.

The reason its important to understand the distinction is because the agreements which need to be in place will differ in both situations.

If your organisation has arranged the hosting and is technically looking after your CiviCRM installation then your organisation is the data processor. You'll also need to check the hosting agreement to be sure if the data crosses boundaries, what the hosting provider does with the data, any sharing or selling etc.

If you've entered into an agreement for a software as a service implementation of CiviCRM, where you do not have a contract with the hosting provider, you should seek an agreement with the service provider to clarify all of the GDPR specific issues. Pretty much as above, you need to be clear with your supporters what is or isn't happening with their data and how you'll be using it.

The agreement differ because you probably have less control over how your data is shared in a software as a service platform, for instance they may be using services for address cleansing or servers in the USA without your knowledge.

You'll be best served thinking of GDPR in two distinct areas

Data, where its held, how its handled

Communications and marketing with your contacts including permission to hold their data and agree to your data/privacy policy

If you split up your compliance into these components it becomes much easier to see where your missing information and what agreements you'll need to have put in place.